Try all valid pa-datas in as_rep before giving up. Send back an empty

pa-data if the client has the v4 flag set.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2472 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/kerberos5.c

@@ -101,94 +101,111 @@ as_rep(krb5_context context,
     }
 
 
-    if(req->padata == NULL || req->padata->len < 1 ||
+    if(req->padata){
-       req->padata->val->padata_type != pa_enc_timestamp) {
+	int i;
-	if(require_enc_timestamp){
+	PA_DATA *pa;
-	    PA_DATA foo;
+	int found_pa = 0;
-	    u_char buf[16];
+	for(i = 0; i < req->padata->len; i++){
-	    size_t len;
+	    PA_DATA *pa = &req->padata->val[i];
-	    krb5_data foo_data;
+	    if(pa->padata_type == pa_enc_timestamp){
+		krb5_data ts_data;
+		PA_ENC_TS_ENC p;
+		time_t patime;
+		size_t len;
+		EncryptedData enc_data;
 		
-	    foo.padata_type = pa_enc_timestamp;
+		found_pa = 1;
-	    foo.padata_value.length = 0;
-	    foo.padata_value.data   = NULL;
 		
-	    encode_PA_DATA(buf + sizeof(buf) - 1,
+		ret = decode_EncryptedData(pa->padata_value.data,
-			   sizeof(buf),
+					   pa->padata_value.length,
-			   &foo,
+					   &enc_data,
-			   &len);
+					   &len);
-	    foo_data.length = len;
+		if (ret) {
-	    foo_data.data   = buf + sizeof(buf) - len;
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		    kdc_log(0, "Failed to decode PA-DATA -- %s", client_name);
+		    goto out;
+		}
 
-	    ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
+		ret = krb5_decrypt (context,
-	    krb5_mk_error(context,
+				    enc_data.cipher.data,
-			  ret,
+				    enc_data.cipher.length,
-			  "Need to use PA-ENC-TIMESTAMP",
+				    enc_data.etype,
-			  &foo_data,
+				    &client->keyblock,
-			  client_princ,
+				    &ts_data);
-			  server_princ,
+		free_EncryptedData(&enc_data);
-			  0,
+		if(ret){
-			  reply);
+		    e_text = "Failed to decrypt PA-DATA";
-	
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	    kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
+		    continue;
-	    goto out2;
+		}
+		ret = decode_PA_ENC_TS_ENC(ts_data.data,
+					   ts_data.length,
+					   &p,
+					   &len);
+		krb5_data_free(&ts_data);
+		if(ret){
+		    e_text = "Failed to decode PA-ENC-TS-ENC";
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		    continue;
+		}
+		patime = p.patimestamp;
+		free_PA_ENC_TS_ENC(&p);
+		if (abs(kdc_time - p.patimestamp) > context->max_skew) {
+		    ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		    krb5_mk_error (context,
+				   ret,
+				   "Too large time skew",
+				   NULL,
+				   client_princ,
+				   server_princ,
+				   0,
+				   reply);
+		    kdc_log(0, "Too large time skew -- %s", client_name);
+		    goto out2;
+		}
+		et->flags.pre_authent = 1;
+		kdc_log(2, "Pre-authentication succeded -- %s", client_name);
+		break;
+	    }
 	}
-    } else {
+	/* XXX */
-	krb5_data ts_data;
+	if(found_pa == 0)
-	PA_ENC_TS_ENC p;
+	    goto use_pa;
-	time_t patime;
+	if(et->flags.pre_authent == 0){
+	    kdc_log(0, "%s -- %s", e_text, client_name);
+	    e_text = NULL;
+	    goto out;
+	}
+    }else{
+	PA_DATA foo;
+	u_char buf[16];
 	size_t len;
-	EncryptedData enc_data;
+	krb5_data foo_data;
 	
-	ret = decode_EncryptedData(req->padata->val->padata_value.data,
+    use_pa:
-				   req->padata->val->padata_value.length,
+	foo.padata_type = pa_enc_timestamp;
-				   &enc_data,
+	foo.padata_value.length = 0;
-				   &len);
+	foo.padata_value.data   = NULL;
-	if (ret) {
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	    kdc_log(0, "Failed to decode PA-DATA -- %s", client_name);
-	    goto out;
-	}
 	
-	ret = krb5_decrypt (context,
+	encode_PA_DATA(buf + sizeof(buf) - 1,
-			    enc_data.cipher.data,
+		       sizeof(buf),
-			    enc_data.cipher.length,
+		       &foo,
-			    enc_data.etype,
+		       &len);
-			    &client->keyblock,
+	foo_data.length = len;
-			    &ts_data);
+	foo_data.data   = buf + sizeof(buf) - len;
-	free_EncryptedData(&enc_data);
+	
-	if (ret) {
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	krb5_mk_error(context,
-	    kdc_log(0, "Failed to decrypt PA-DATA -- %s", client_name);
+		      ret,
-	    goto out;
+		      "Need to use PA-ENC-TIMESTAMP",
-	}
+		      &foo_data,
-	ret = decode_PA_ENC_TS_ENC(ts_data.data,
+		      client_princ,
-				   ts_data.length,
+		      server_princ,
-				   &p,
+		      0,
-				   &len);
+		      reply);
-	krb5_data_free(&ts_data);
+	
-	if (ret) {
+	kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	goto out2;
-	    kdc_log(0, "Failed to decode PA-ENC-TS-ENC -- %s", client_name);
-	    goto out;
-	}
-	patime = p.patimestamp;
-	free_PA_ENC_TS_ENC(&p);
-	if (abs(kdc_time - p.patimestamp) > context->max_skew) {
-	    krb5_mk_error (context,
-			   KRB5KDC_ERR_PREAUTH_FAILED,
-			   "Too large time skew",
-			   NULL,
-			   client_princ,
-			   server_princ,
-			   0,
-			   reply);
-	    ret = KRB5KDC_ERR_PREAUTH_FAILED;
-	    kdc_log(0, "Too large time skew -- %s", client_name);
-	    goto out2;
-	}
-	et->flags.pre_authent = 1;
-	kdc_log(2, "Pre-authentication succeded -- %s", client_name);
     }
 
     /* Find appropriate key */
@@ -351,6 +368,12 @@ as_rep(krb5_context context,
 	rep.enc_part.kvno = malloc(sizeof(*rep.enc_part.kvno));
 	*rep.enc_part.kvno = client.kvno;
 #endif
+	if(client->flags.b.v4){
+	    rep.padata = malloc(sizeof(*rep.padata));
+	    rep.padata->len = 1;
+	    rep.padata->val = calloc(1, sizeof(*rep.padata->val));
+	    rep.padata->val->padata_type = pa_pw_salt;
+	}
 	
 	ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
 	free_AS_REP(&rep);